xloader | 9a33dbdebade5d8be42726df8d9b8ebb50c0982a354aea70f6a07d97826953af

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06-01-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

455e9a76438e10a9c69c609d1d4ed136.exe
Size

685KB
MD5

455e9a76438e10a9c69c609d1d4ed136
SHA1

4e5e8ad8138ca39ae076e9d97c38b9275f6d9726
SHA256

9a33dbdebade5d8be42726df8d9b8ebb50c0982a354aea70f6a07d97826953af
SHA512

6235792be899e672f8881aecac785dc4bb3980e0899f1bb77d20b4617d06d107e770e9b05b41be71787d906efc082c4c708a05ba0c7821e8b48a7fe5da3f8b1b
SSDEEP

6144:FHSiQrg69Wg1ZeT4VB27uXAORbXHqU+7ptFg2bc47udTDLMLI7gXjt8Dwg9WELzL:Mug1ZeT4TXHHqU+Vbc47uMVjaDV9RLzL

Score

10^/10

xloader q3t0 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

q3t0

Decoy

xn--n8jh0ox33v9th.club

realestateactiongroup.com

theblackcottage.com

iptvfresh.com

firstseviceresidential.com

enhancemarketingsolutions.com

matchawali.com

lockedselfstorage.com

laurencervera.com

waffleicionados.com

ryanplumbingandmechanical.com

mahalabartlemathiassen.com

enter-flowers.com

berlinclick.com

pop.direct

dangeranimalsfounded.press

sweetwhiskerscreamery.com

acaciamultimedia.com

thejoyfulmark.com

bspceducation.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2112-3-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1384 set thread context of 2112	1384	455e9a76438e10a9c69c609d1d4ed136.exe	14

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3004	2112	WerFault.exe	14

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1384	455e9a76438e10a9c69c609d1d4ed136.exe
1384	455e9a76438e10a9c69c609d1d4ed136.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 2112	1384	455e9a76438e10a9c69c609d1d4ed136.exe	14
PID 1384 wrote to memory of 2112	1384	455e9a76438e10a9c69c609d1d4ed136.exe	14
PID 1384 wrote to memory of 2112	1384	455e9a76438e10a9c69c609d1d4ed136.exe	14
PID 1384 wrote to memory of 2112	1384	455e9a76438e10a9c69c609d1d4ed136.exe	14
PID 1384 wrote to memory of 2112	1384	455e9a76438e10a9c69c609d1d4ed136.exe	14
PID 2112 wrote to memory of 3004	2112	455e9a76438e10a9c69c609d1d4ed136.exe	15
PID 2112 wrote to memory of 3004	2112	455e9a76438e10a9c69c609d1d4ed136.exe	15
PID 2112 wrote to memory of 3004	2112	455e9a76438e10a9c69c609d1d4ed136.exe	15
PID 2112 wrote to memory of 3004	2112	455e9a76438e10a9c69c609d1d4ed136.exe	15

C:\Users\Admin\AppData\Local\Temp\455e9a76438e10a9c69c609d1d4ed136.exe
"C:\Users\Admin\AppData\Local\Temp\455e9a76438e10a9c69c609d1d4ed136.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 36
  2⤵
  - Program crash
  PID:3004

C:\Users\Admin\AppData\Local\Temp\455e9a76438e10a9c69c609d1d4ed136.exe
"C:\Users\Admin\AppData\Local\Temp\455e9a76438e10a9c69c609d1d4ed136.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1384-2-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1384-1-0x0000000000150000-0x0000000000250000-memory.dmp

Filesize
1024KB

Download
memory/2112-3-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download